AD Permissions Evaluator

Changes all user accounts that do not currently have inherited security permissions to have inherited permissions in a specified OU.

Was written to fix an issue where we were unable to edit user properties of certain users in AD.

Source Code

This script has not been checked by Spiceworks. Please understand the risks before using it.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

'#=============================================================================='#=============================================================================='# SCRIPT.........: ADPermissionsEvaluator.vbs'# AUTHOR.........: Stuart Barrett'# VERSION........: 1.0'# CREATED........: 14/04/11'# LICENSE........: Freeware'# REQUIREMENTS...: '#'# DESCRIPTION....: Changes all user accounts that do not currently have'# inherited security permissions to have inherited'# permissions in a specified OU.'#'# NOTES..........: '# '# CUSTOMIZE......: '#=============================================================================='# REVISED BY.....: '# EMAIL..........: '# REVISION DATE..: '# REVISION NOTES.:'#'#=============================================================================='#==============================================================================OnErrorResumeNextConstSE_DACL_PROTECTED=&H1000DimarrDNs()i=0strOU=InputBox("This script will change all of the user accounts that do not currently have "&_"inherited security permissions to have inherited permissions in the specified OU."&_vbCrLf&vbCrLf&"If you wish to continue please enter the required OU below:",_"AD Permissions Evaluator","OU=users,DC=Acme,DC=group")IfstrOU="OU=users,DC=Acme,DC=group"ORstrOU=""ThenWScript.QuitSetobjConnection=CreateObject("ADODB.Connection")objConnection.Open"Provider=ADsDSOObject;"SetobjCommand=CreateObject("ADODB.Command")objCommand.ActiveConnection=objConnectionobjCommand.Properties("Page Size")=1000strBase="<LDAP://"&strOU&">"strFilter="(&(objectclass=user)(objectcategory=person))"strAttributes="adspath,distinguishedname,sAMAccountName"strQuery=strBase&";"&strFilter&";"&strAttributes&";subtree"objCommand.CommandText=strQuerySetobjRecordSet=objCommand.ExecuteIf(objRecordset.EOF=True)ThenMsgBox"There are no users in the specified OU, or the OU has been entered "&_"incorrectly. ",vbInformation,"AD Permissions Evaluator"WScript.QuitEndIfDoUntilobjRecordSet.EOFstrDN=objRecordSet.Fields("adspath").ValuestrUser=objRecordSet.Fields("sAMAccountName").ValueSetobjADObject=GetObject(strDN)SetobjNtSecurityDescriptor=objADObject.Get("ntSecurityDescriptor")intNtSecurityDescriptorControl=objNtSecurityDescriptor.ControlIf(intNtSecurityDescriptorControlAndSE_DACL_PROTECTED)<>0ThenstrMsg=strMsg&strUser&", "ReDimPreservearrDNs(i)arrDNs(i)=strDNi=i+1EndIfobjRecordSet.MoveNextLoopobjRecordSet.CloseIfi=0ThenMsgBox"There are currently no users in AD who do not have inherited permissions. ",_vbInformation,"AD Permissions Evaluator"ElsestrMsg=Left(strMsg,Len(strMsg)-2)&". "ChangePrompt=MsgBox("There are "&i&" users in AD who do not have inherited permissions, they are: "&_vbCrLf&vbCrLf&strMsg&vbCrLf&vbCrLf&_"Would you now like to set these users to have inherited permissions?",_vbQuestion+vbYesNo,"AD Permissions Evaluator")IfChangePrompt=vbYesThenFori=0Toi-1Err.ClearSetobjADObject=GetObject(arrDNs(i))SetobjNtSecurityDescriptor=objADObject.Get("ntSecurityDescriptor")intNtSecurityDescriptorControl=objNtSecurityDescriptor.ControlintNtSecurityDescriptorControl=intNtSecurityDescriptorControlXorSE_DACL_PROTECTEDobjNtSecurityDescriptor.Control=intNtSecurityDescriptorControlobjADObject.Put"ntSecurityDescriptor",objNtSecurityDescriptorobjADObject.SetInfoNextIfErr.Number=0ThenMsgBox"The permissions for these users have now been changed. ",vbInformation,"AD Permissions Evaluator"ElseMsgBox"There was an error changing the permissions for these users. "&_vbCrLf&vbCrLf&"Please make sure you are running this script as a domain admin. ",_vbExclamation,"Error"EndIfEndIfEndIfSetobjRecordSet=NothingSetobjCommand=NothingobjConnection.CloseSetobjConnection=Nothing